redline | 013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643

Analysis

max time kernel
163s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2023 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643.exe
Size

957KB
MD5

82dd9d01dbf4259b59852cdd2e3efa3e
SHA1

7b3f3fd8b49bce8dfb1656b6c5c65b295cfd4869
SHA256

013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643
SHA512

29c9bc67dc54fc3789ca90479299060a06ae004a2f9ab5b3883884fb85c111e1c477cfd171c179b6adb54959b88504faba2d4f4d68081e0ca94b67f2639a035d
SSDEEP

12288:qbMvCo2dAKlpItf+BV3Xv6lHYBPHRqPD+xoRj3cM58Gu9cA1dAr:nv12dAK4tf+BVH30YoRj3cHJA

Score

10^/10

redline smokeloader grome backdoor infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CD41.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\CD41.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 9 IoCs

Processes:

CA11.exeCBC9.exeCD41.exeUh8nj1Cy.exeTy8wK5MD.execW0ku1hV.exewN0EH8Zc.exe1He04Cc6.exe2Ri192wf.exe

pid process

3212 CA11.exe
4760 CBC9.exe
2196 CD41.exe
6556 Uh8nj1Cy.exe
6776 Ty8wK5MD.exe
6444 cW0ku1hV.exe
5236 wN0EH8Zc.exe
5000 1He04Cc6.exe
2796 2Ri192wf.exe

pid	process
3212	CA11.exe
4760	CBC9.exe
2196	CD41.exe
6556	Uh8nj1Cy.exe
6776	Ty8wK5MD.exe
6444	cW0ku1hV.exe
5236	wN0EH8Zc.exe
5000	1He04Cc6.exe
2796	2Ri192wf.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ty8wK5MD.execW0ku1hV.exewN0EH8Zc.exeCA11.exeUh8nj1Cy.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ty8wK5MD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	cW0ku1hV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	wN0EH8Zc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	CA11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Uh8nj1Cy.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643.exe1He04Cc6.exe

description	pid	process	target process
PID 1916 set thread context of 584	1916	013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643.exe	AppLaunch.exe
PID 5000 set thread context of 4144	5000	1He04Cc6.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2760	1916	WerFault.exe	013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643.exe
3228	5000	WerFault.exe	1He04Cc6.exe
6480	4144	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exe

pid	process
584	AppLaunch.exe
584	AppLaunch.exe
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308
3308

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3308
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

AppLaunch.exe

pid process

584 AppLaunch.exe

pid	process
3308

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308
Token: SeShutdownPrivilege	3308
Token: SeCreatePagefilePrivilege	3308

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe
2376	msedge.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3308

pid	process
3308

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643.execmd.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 1916 wrote to memory of 584	1916	013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643.exe	AppLaunch.exe
PID 1916 wrote to memory of 584	1916	013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643.exe	AppLaunch.exe
PID 1916 wrote to memory of 584	1916	013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643.exe	AppLaunch.exe
PID 1916 wrote to memory of 584	1916	013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643.exe	AppLaunch.exe
PID 1916 wrote to memory of 584	1916	013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643.exe	AppLaunch.exe
PID 1916 wrote to memory of 584	1916	013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643.exe	AppLaunch.exe
PID 3308 wrote to memory of 3212	3308		CA11.exe
PID 3308 wrote to memory of 3212	3308		CA11.exe
PID 3308 wrote to memory of 3212	3308		CA11.exe
PID 3308 wrote to memory of 3284	3308		cmd.exe
PID 3308 wrote to memory of 3284	3308		cmd.exe
PID 3308 wrote to memory of 4760	3308		CBC9.exe
PID 3308 wrote to memory of 4760	3308		CBC9.exe
PID 3308 wrote to memory of 4760	3308		CBC9.exe
PID 3308 wrote to memory of 2196	3308		CD41.exe
PID 3308 wrote to memory of 2196	3308		CD41.exe
PID 3308 wrote to memory of 2196	3308		CD41.exe
PID 3284 wrote to memory of 3340	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 3340	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 4708	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 4708	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 2376	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 2376	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 2032	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 2032	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 652	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 652	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 2408	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 2408	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 3808	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 3808	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 1948	3284	cmd.exe	msedge.exe
PID 3284 wrote to memory of 1948	3284	cmd.exe	msedge.exe
PID 4708 wrote to memory of 2276	4708	msedge.exe	msedge.exe
PID 4708 wrote to memory of 2276	4708	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1724	1948	msedge.exe	msedge.exe
PID 1948 wrote to memory of 1724	1948	msedge.exe	msedge.exe
PID 2376 wrote to memory of 480	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 480	2376	msedge.exe	msedge.exe
PID 652 wrote to memory of 1212	652	msedge.exe	msedge.exe
PID 652 wrote to memory of 1212	652	msedge.exe	msedge.exe
PID 2032 wrote to memory of 3992	2032	msedge.exe	msedge.exe
PID 2032 wrote to memory of 3992	2032	msedge.exe	msedge.exe
PID 2408 wrote to memory of 2072	2408	msedge.exe	msedge.exe
PID 2408 wrote to memory of 2072	2408	msedge.exe	msedge.exe
PID 3340 wrote to memory of 5116	3340	msedge.exe	msedge.exe
PID 3340 wrote to memory of 5116	3340	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe
PID 2376 wrote to memory of 5212	2376	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643.exe
"C:\Users\Admin\AppData\Local\Temp\013e3153a1a954ffdfcde3f20dcfdb39277106b91f9c347bb3c970e917166643.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 292
2⤵
- Program crash
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1916 -ip 1916
1⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\CA11.exe
C:\Users\Admin\AppData\Local\Temp\CA11.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uh8nj1Cy.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uh8nj1Cy.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6556

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ty8wK5MD.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ty8wK5MD.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6776

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cW0ku1hV.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cW0ku1hV.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6444

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wN0EH8Zc.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wN0EH8Zc.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5236

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1He04Cc6.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1He04Cc6.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:6172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 540
8⤵
- Program crash
PID:6480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 600
7⤵
- Program crash
PID:3228

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ri192wf.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ri192wf.exe
6⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAED.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
2⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb475646f8,0x7ffb47564708,0x7ffb47564718
3⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb475646f8,0x7ffb47564708,0x7ffb47564718
3⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,6464250824307792396,5943827601596921846,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
3⤵
PID:6064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,6464250824307792396,5943827601596921846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
3⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb475646f8,0x7ffb47564708,0x7ffb47564718
3⤵
PID:480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
3⤵
PID:5220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
3⤵
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
3⤵
PID:5212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
3⤵
PID:6000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
3⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
3⤵
PID:6316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
3⤵
PID:6484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
3⤵
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
3⤵
PID:5668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
3⤵
PID:6264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
3⤵
PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
3⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
3⤵
PID:6900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
3⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
3⤵
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:1
3⤵
PID:7136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7776 /prefetch:1
3⤵
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:1
3⤵
PID:5328

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
3⤵
PID:6708

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6716534506121771653,677167071566265176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
3⤵
PID:3824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb475646f8,0x7ffb47564708,0x7ffb47564718
3⤵
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,3126855577728387645,12763015545704162958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
3⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,3126855577728387645,12763015545704162958,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
3⤵
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
2⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb475646f8,0x7ffb47564708,0x7ffb47564718
3⤵
PID:1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9613299934511780342,5728338881592290149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
3⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9613299934511780342,5728338881592290149,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
3⤵
PID:5352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
2⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb475646f8,0x7ffb47564708,0x7ffb47564718
3⤵
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,9056266303249525885,5149324174371122656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
3⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9056266303249525885,5149324174371122656,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
3⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
2⤵
PID:3808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb475646f8,0x7ffb47564708,0x7ffb47564718
3⤵
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,17510197567415925601,4772278671418139333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
3⤵
PID:6008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,17510197567415925601,4772278671418139333,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
3⤵
PID:5988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
2⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb475646f8,0x7ffb47564708,0x7ffb47564718
3⤵
PID:1724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,17871904688821748667,17447171524489359050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
3⤵
PID:5888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17871904688821748667,17447171524489359050,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
3⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\CBC9.exe
C:\Users\Admin\AppData\Local\Temp\CBC9.exe
1⤵
- Executes dropped EXE
PID:4760

C:\Users\Admin\AppData\Local\Temp\CD41.exe
C:\Users\Admin\AppData\Local\Temp\CD41.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5000 -ip 5000
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4144 -ip 4144
1⤵
PID:6056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2f221ded-cf1e-4786-a26d-dc3e6dc08ced.tmp
Filesize
2KB

MD5
0008c9a46c8db81796ca98ffb1087fa0

SHA1
2184d6ef441d68e7ed8648a15634936008dff69d

SHA256
cffe1ce052b001a8489a698ec6cb6cd613d4488092d2d447580376e585470886

SHA512
6e0c5bea413638da30557ff1ad3226954bbe80a1e86ca84f82d0fe4adf9933d44926f882f84470523d18c674dcbc966c31dbbe01fbe300352bee50283814c97b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\668a4ccf-fdb9-4387-a065-9348373cb5d0.tmp
Filesize
2KB

MD5
775eeefc1408bf2899bf89f579029468

SHA1
a83d615548b574bbdf4fa346f47e97c4c84f90a6

SHA256
5f78deffbc49b44a36dcd1371126c35cadd6e7cbf5a3d25b2f5d0ac04961292a

SHA512
64afe50b4deac4c7ed0923a5b53fb1f2d0cbac8f3141f696f6918700b925efb6bbc5dc2851ad337eff5c228a6cdbcad8f805c1d0528807943aa123ef85d9e88d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7993fec1-359b-49e5-b36b-d71d55b424f4.tmp
Filesize
2KB

MD5
84f2881c8d18d8b18a4d02e6d8c97bd3

SHA1
3c9775b186297bdc4fb3e26147f2d5a0a1022500

SHA256
22959a6556b8aea5417f67f62f7c09f0139f59a411c23bbe6242640c38fb559f

SHA512
5c2590ad712f44be5e8f8eab79b6dd04c7fdf6f99593a07621d085eb998f48c3f59100a7c20e764d0752b5fe63fcee98d736855fa0af0b2613db6fc0607e5048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\8e2d7294-a7e7-4697-ba74-4a903e95e843.tmp
Filesize
2KB

MD5
8517ce4000c8c03d35f8cbae5dd97b90

SHA1
f51648316e373c815f8279e6ac8f091fc53e338d

SHA256
a7c6730145f91cd3b08e61afccce3e55cc43716b732e874284f8f88819d503fd

SHA512
b20441e99bb06efeac22ed0d9b63d116d782bda7a51e1d44dc03552eab551657811ed682a2fba94d86d318f50283c599c5106dddbfb417fe0687243063a6b7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e9a87c8dba0154bb9bef5be9c239bf17

SHA1
1c653df4130926b5a1dcab0b111066c006ac82ab

SHA256
5071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5

SHA512
bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
ff655f20149653b7cc90a054616d0968

SHA1
02515bec2664532585f2bd10eab0311ae1bdd462

SHA256
d4da3fa79f47d1a017f43d1e83d4e6fc5b74e1799620399c6cc11f6de6f00299

SHA512
53b54fbe865705794bcb13d9f23156f78623aa1a4c29ab70b117934b86a93f37b5c4d79bba9a1f08c5a4c9a6107a268832b7e9c861f9281f5bd081385ac01f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
1af59da57bd31b2890f6ba14450bf693

SHA1
dbfc2ae27d75ec477bc345ddaef5d014d39e7fbd

SHA256
f8dc745566a4b6de657ffa9f5ae2411d49b91db264a3fab19ecbfb12075865d9

SHA512
152ac52d4f295014c621048e90da8ab016472313e6392e5a53d87156df3c779557495bc8f10d3a2910812e3a9055e9ffd4e441c847a8c6220846a4731e72d908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
20719d2525403722b56b29ac37c67091

SHA1
e6bc350163c28218c23429fd3d10375357204af0

SHA256
78ae5f2dec5df51fce8e51be31d86bc5fcd8a81e7464057e73ee55b86b6ae295

SHA512
ba4111ecdec29f4dd0fecd97cac3b054757a19718ceac2bb965436b6e56bf533560c1f81dae06e1044463cf2cb668a5f7409f9a26293ae2f0928fea18ce7bd19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
35dc6895db72f5471a8fe0dea71c39cd

SHA1
b721a879adf752098bfae21d6e85d89392432eea

SHA256
7c631de17c3f4375a785f79206fbf81dba74884efcf6cfbc0d985ca5ccacd78b

SHA512
4b1180b0ea246d5dd01aea9a6e68dd0ad951b5b525208adf1ffd577af19b933a0effb3ed7a3597a5303bf58c8fc3d645db75279634a377c1d515b167c31f2f7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5a2b95.TMP
Filesize
89B

MD5
bae1466ac25fe73f0a6fcc38e5143155

SHA1
a631f377c2c8c0d885f04ba439e9f015c7e6a425

SHA256
c9cbf1b870fe712238e65b75f3fedd91383b48301ad230afa80097772a619d62

SHA512
92586f0c27ff5135d7fdbb68bb4ba967f23f1b0b4cba57fd16acc2ff91a8a51f5e515cd7269c3da9b2a74831ed83e4a5088ab2bd4a46434c73c11847042b05bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
5ab0a1c48893a573a4f8c26acb9c7e28

SHA1
90bbbd14489999fabc47bb6fcc5fb8678e9b0ea6

SHA256
701b48544b74cf6df9ebb2f6ed28982418dd76b2ca4466a28caf3a76157ae797

SHA512
dc9ae3da3a0cdee08d66d61b4c434311e747b7e887f2d519f673a098a72188f4a1eb8dc60c4f6ebc666cf18782d0998f311a27e4f879910ba4cdacf5b8f3652d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59dcf8.TMP
Filesize
1KB

MD5
997eef76d1e0d24279f050ea51470c1d

SHA1
065c0ca43cea9119376210e59ede27a1381f4367

SHA256
76f21c14ba4d932833f917f676f8d17ef8f8fec031ef82bcb52742d76235a39c

SHA512
14f58cd74971e03839a9931ed82eca4e42860372bb8bf020a15ea9b1dc66eb5b5e0519c10dc37243d76d7a94c40c897308aa1e5b646bf4f53060ea0f250dead3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
3b0d0c1b0a08c1ee6feac13ba8d1970a

SHA1
50acae4b1317585a687082b5e87503d5f5436cdf

SHA256
1a14cd881f777356e55e8050e28ed531037716d5345fa0242158f815094f3f4f

SHA512
7950ab93516ed440af03528626e17e08429ddd121844f75bde4f92c7c3dd1af18d15016844bfe694b1ed81d45fd63887bb4aae93916911a992688bcee625a0f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
3b0d0c1b0a08c1ee6feac13ba8d1970a

SHA1
50acae4b1317585a687082b5e87503d5f5436cdf

SHA256
1a14cd881f777356e55e8050e28ed531037716d5345fa0242158f815094f3f4f

SHA512
7950ab93516ed440af03528626e17e08429ddd121844f75bde4f92c7c3dd1af18d15016844bfe694b1ed81d45fd63887bb4aae93916911a992688bcee625a0f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
8517ce4000c8c03d35f8cbae5dd97b90

SHA1
f51648316e373c815f8279e6ac8f091fc53e338d

SHA256
a7c6730145f91cd3b08e61afccce3e55cc43716b732e874284f8f88819d503fd

SHA512
b20441e99bb06efeac22ed0d9b63d116d782bda7a51e1d44dc03552eab551657811ed682a2fba94d86d318f50283c599c5106dddbfb417fe0687243063a6b7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
0008c9a46c8db81796ca98ffb1087fa0

SHA1
2184d6ef441d68e7ed8648a15634936008dff69d

SHA256
cffe1ce052b001a8489a698ec6cb6cd613d4488092d2d447580376e585470886

SHA512
6e0c5bea413638da30557ff1ad3226954bbe80a1e86ca84f82d0fe4adf9933d44926f882f84470523d18c674dcbc966c31dbbe01fbe300352bee50283814c97b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
775eeefc1408bf2899bf89f579029468

SHA1
a83d615548b574bbdf4fa346f47e97c4c84f90a6

SHA256
5f78deffbc49b44a36dcd1371126c35cadd6e7cbf5a3d25b2f5d0ac04961292a

SHA512
64afe50b4deac4c7ed0923a5b53fb1f2d0cbac8f3141f696f6918700b925efb6bbc5dc2851ad337eff5c228a6cdbcad8f805c1d0528807943aa123ef85d9e88d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
d137844aaea5fb048b40301b2347cd75

SHA1
e2268cb69af965dc7f79dbac1d76131fcfb9a56d

SHA256
fae9f6164b7f7d951049f64199ccb033732c0d9205c0ed1404bbe1ac1cc0311b

SHA512
f16d4adaaa2e65ae3cbb01e9ab95fc5ab547432ad2aef6fa54f3d20addb0a37129bef5e3fbfed1a6c67870c9f16c66a2d8fdd2170273bd31916eb007b1077f1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
84f2881c8d18d8b18a4d02e6d8c97bd3

SHA1
3c9775b186297bdc4fb3e26147f2d5a0a1022500

SHA256
22959a6556b8aea5417f67f62f7c09f0139f59a411c23bbe6242640c38fb559f

SHA512
5c2590ad712f44be5e8f8eab79b6dd04c7fdf6f99593a07621d085eb998f48c3f59100a7c20e764d0752b5fe63fcee98d736855fa0af0b2613db6fc0607e5048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
8517ce4000c8c03d35f8cbae5dd97b90

SHA1
f51648316e373c815f8279e6ac8f091fc53e338d

SHA256
a7c6730145f91cd3b08e61afccce3e55cc43716b732e874284f8f88819d503fd

SHA512
b20441e99bb06efeac22ed0d9b63d116d782bda7a51e1d44dc03552eab551657811ed682a2fba94d86d318f50283c599c5106dddbfb417fe0687243063a6b7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
84f2881c8d18d8b18a4d02e6d8c97bd3

SHA1
3c9775b186297bdc4fb3e26147f2d5a0a1022500

SHA256
22959a6556b8aea5417f67f62f7c09f0139f59a411c23bbe6242640c38fb559f

SHA512
5c2590ad712f44be5e8f8eab79b6dd04c7fdf6f99593a07621d085eb998f48c3f59100a7c20e764d0752b5fe63fcee98d736855fa0af0b2613db6fc0607e5048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
7162eb02ff8412f711578382fe700cb7

SHA1
7f6b281b5114abdc08f5ffcdfa7741e92c644bff

SHA256
b87e0f5ebc4fae2f32dfe03fc8a25d51ab24bae1d96555fbc9ef07a62a1a863a

SHA512
a4aca52d70fcbf2951fcda97f2061d32d8e81bdf235d3d5373165280e1a24c0c337c643d3cbe4d71a4b2d67e9e780452f6e3d5aa3b150ac3f748ac26139cefa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA11.exe
Filesize
1.5MB

MD5
0114da581c56c83c54315078cdb049fc

SHA1
b5ecc98c7d0ed52625d0f2fe16df4347ba478bce

SHA256
901af3279614c06f2f27461f8385b39b1f5d2499a409dffa5013f26ab66561e2

SHA512
5cdfac44026a245ea36e11e93bcdf669e8ead3c91c2306792f69d98f04a78b445ef5cbd45b8bad2da4e30d48677bf68868f863cb7cc42a9bd3cc3682bc3d7098

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA11.exe
Filesize
1.5MB

MD5
0114da581c56c83c54315078cdb049fc

SHA1
b5ecc98c7d0ed52625d0f2fe16df4347ba478bce

SHA256
901af3279614c06f2f27461f8385b39b1f5d2499a409dffa5013f26ab66561e2

SHA512
5cdfac44026a245ea36e11e93bcdf669e8ead3c91c2306792f69d98f04a78b445ef5cbd45b8bad2da4e30d48677bf68868f863cb7cc42a9bd3cc3682bc3d7098

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAED.bat
Filesize
342B

MD5
e79bae3b03e1bff746f952a0366e73ba

SHA1
5f547786c869ce7abc049869182283fa09f38b1d

SHA256
900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63

SHA512
c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBC9.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBC9.exe
Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD41.exe
Filesize
221KB

MD5
73089952a99d24a37d9219c4e30decde

SHA1
8dfa37723afc72f1728ec83f676ffeac9102f8bd

SHA256
9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60

SHA512
7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CD41.exe
Filesize
221KB

MD5
73089952a99d24a37d9219c4e30decde

SHA1
8dfa37723afc72f1728ec83f676ffeac9102f8bd

SHA256
9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60

SHA512
7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uh8nj1Cy.exe
Filesize
1.3MB

MD5
b0ff33834474b5770eea8d7d12d86df0

SHA1
2e28fbd7f1ecb69a69e5631073a4fb659aaea129

SHA256
91800bb40632602e93738e41a186c2ad604a039e279a5fe7f35cf4491198fcaa

SHA512
0c4ebb5bb9065098e79260160d7c162fe7997d028d04f5770937431695cd1f6d1242daaa683de5c1e8fc8ae21d14ab40065b5bc9c5446d9e2354df873ac09903

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uh8nj1Cy.exe
Filesize
1.3MB

MD5
b0ff33834474b5770eea8d7d12d86df0

SHA1
2e28fbd7f1ecb69a69e5631073a4fb659aaea129

SHA256
91800bb40632602e93738e41a186c2ad604a039e279a5fe7f35cf4491198fcaa

SHA512
0c4ebb5bb9065098e79260160d7c162fe7997d028d04f5770937431695cd1f6d1242daaa683de5c1e8fc8ae21d14ab40065b5bc9c5446d9e2354df873ac09903

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ty8wK5MD.exe
Filesize
1.2MB

MD5
d7e0d6f630f523e18b94eadf443a7d5f

SHA1
369a6f11f1dc8ace71fe321f2e45e72144ce139e

SHA256
edb7d7a0efb8f3a4b5413ab23e7673a75b2d77eb639a9424ac969030b43318b2

SHA512
11e521966400be47b25f0db45740dd745d6f3adddb1ab046ab37102926076a881fd505ed9ce3480a17e2bc8c7310f22bf4a9b054947664a6797baab7e6f1c345

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ty8wK5MD.exe
Filesize
1.2MB

MD5
d7e0d6f630f523e18b94eadf443a7d5f

SHA1
369a6f11f1dc8ace71fe321f2e45e72144ce139e

SHA256
edb7d7a0efb8f3a4b5413ab23e7673a75b2d77eb639a9424ac969030b43318b2

SHA512
11e521966400be47b25f0db45740dd745d6f3adddb1ab046ab37102926076a881fd505ed9ce3480a17e2bc8c7310f22bf4a9b054947664a6797baab7e6f1c345

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cW0ku1hV.exe
Filesize
769KB

MD5
dd543ab4f370a8fc02c3250965d69bb5

SHA1
7eff0f6d12b1403432bebbb59c40d4314a85d830

SHA256
16aa8f50b4a7f6e36c1bd8a5dc8d00bc42afe491a4ef596edd3661fb7865a0de

SHA512
ab3a575665737ae33bae635cb95349d9e72681dbc3680bad8c225f64feafc3324cb6b638f42975b7ed263158a01e41f9d35ae9ef9ca5f184a65136ac75066315

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cW0ku1hV.exe
Filesize
769KB

MD5
dd543ab4f370a8fc02c3250965d69bb5

SHA1
7eff0f6d12b1403432bebbb59c40d4314a85d830

SHA256
16aa8f50b4a7f6e36c1bd8a5dc8d00bc42afe491a4ef596edd3661fb7865a0de

SHA512
ab3a575665737ae33bae635cb95349d9e72681dbc3680bad8c225f64feafc3324cb6b638f42975b7ed263158a01e41f9d35ae9ef9ca5f184a65136ac75066315

Download Submit
\??\pipe\LOCAL\crashpad_1948_XEPTXGVQEMNJNHEG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2032_ASCWUWCGSLIVSJRO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2376_KNVLKPVSIKCJTUXH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2408_XFECNZHYUYDNBFOI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3808_IJXWSFNIDSDACULI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4708_FVECEGHVZVJRMJSW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_652_LFWABQCQXPUXGSMP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/584-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/584-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/584-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3308-2-0x00000000014E0000-0x00000000014F6000-memory.dmp

Filesize
88KB

Download
memory/4144-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download